Question:
Hi, we are contemplating moving to a login ID consisting of the employee number. I am interested in hearing from anyone who is currently using this format so I may include their experiences in our decision making process.
Thanks,
Kerry
Answer:
Hi Kerry,
You ask this in the security forum, so I presume that is your concern. PNR is no better or worse than any other type of easily determinable or guessable ID. But it will have a theoretical affect on the ease of dictionary attacks on the password.
SAPīs password logic includes the user ID and the Password as the only variables in the algorithm and is ISD independent. Restricting the user name to a six (presumably) character numeral where each character can only draw a value from 10 (0 -> 9) possibly ones, will mean that the occurance of a hashcode collision increases significantly. Making full use of all 7-bit ASCII values (and only them) for any character of the user ID and the password decreases the rate of collisions.
But if someone wants to crack your password, they will most likely get it right anyway or more likely find a much faster and easier way to change it and then put the old one back again without needing to know exactly what it was.
Tarr
Answer:
Restricting the user name to a six (presumably) character numeral where each character can only draw a value from 10 (0 -> 9) possibly ones, will mean that the occurance of a hashcode collision increases significantly.
Yes, but you can't exploit this practically, because as an attacker, you have to provide username and password. If you provide a wrong username (which, together with your 'cracked' password, gives the correct hash value), the system won't let you in.
Have fun,
Marc
_________________
Bigmouth strikes again!
Answer:
The option "self explanatory" remains optional.
Answer:
It's the secrecy of the password, not the username, that provides for the security of the system.
Answer:
While using the Employee number as an ID is done in some companies it is NOT recommended.
1. It allows people to easily find HR info about other people with a simple table view. Most HR users use SE16 as theri reporting tool as it is quick and simple. With the ID as the Personnel number, you are one step closer to finding HR info. over time people will recognize the person by their ID.
2. If the Id is more in keeping with the iser's name (like JARBOE,J) then change documents and history records are far easier to read and decipher what is going on then reqiring yet another step to find out who 50005077 is and in cases wher eyou may not have access to theis info.
Answer:
1. It allows people to easily find HR info about other people with a simple table view. Most HR users use SE16 as their reporting tool as it is quick and simple. With the ID as the Personnel number, you are one step closer to finding HR info.
If this were true, I guess most people would even see this as a pro-PERNR argument.
Have fun,
Marc
Answer:
All up to the point where you get disgruntaled employees because someone finds what you make and they do not beleive you are worth it and think they should be paid more than you...
Answer:
The same applies to vendors...
If the person (seeker) wants the information, then they generally will be able to get it somehow,... even if it means asking. Making it difficult so that the skill set required does not exceed yours (as a security admin) should be in your job description... (even although you tell your boss that it is impossible)...
Tarr
Answer:
All up to the point where you get disgruntaled employees because someone finds what you make and they do not beleive you are worth it and think they should be paid more than you...
Access to HR information can and should be given on a need-to-know basis. If a legitimate HR user who has access to salary information gets disgruntled, there's not much you can do. This is independent of what type of user ID you are using.
Have fun,
Marc
_________________
Bigmouth strikes again!